Various security techniques are known in the art for detecting and mitigating attacks on computer networks. For example, U.S. Pat. No. 8,181,250, whose disclosure is incorporated herein by reference, describes a personalized honeypot for detecting information leaks and security breaches. The honeypot is configured for use with computing resources such as desktop and network resources such as address book contacts, instant messaging contacts, active directory user accounts, IP addresses, and files that contain particular content or that are stored in particular locations. The resources may be real for which protection against leakage is desired, or fake to operate as bait to lure and detect malicious attacks.
U.S. Pat. No. 7,383,578, whose disclosure is incorporated herein by reference, describes techniques for morphing a honeypot system on a dynamic and configurable basis. The morphing honeypot emulates a variety of services while falsely presenting information about potential vulnerabilities within the system that supports the honeypot. The morphing honeypot has the ability to dynamically change its personality or displayed characteristics using a variety of algorithms and a database of known operating system and service vulnerabilities. The morphing honeypot personality can be changed on a timed or scheduled basis, on the basis of activity that is generated by the presented honeypot personality, or on some other basis.
U.S. Patent Application Publication 2012/0254951, whose disclosure is incorporated herein by reference, describes a system including a detection unit configured to detect unauthorized access to one or more information processing apparatuses that are virtually implemented by virtual machines executed by a computer. An authorized network is configured to transfer authorized access to the one or more information processing apparatuses from an external network. A honeypot network is configured to transfer unauthorized access to the information processing apparatuses from the external network. A control unit is configured to connect the information processing apparatuses for which no unauthorized access has been detected to the authorized network, and to connect the information processing apparatuses for which unauthorized access has been detected to the honeypot network. The control unit shifts, in response to detecting unauthorized access by the detection unit, the corresponding information processing apparatus into a decoy mode in which the detected unauthorized access is disconnected from a normal operation.
U.S. Pat. No. 8,413,216, whose disclosure is incorporated herein by reference, describes techniques for simulating a large, realistic computer network. Virtual actors statistically emulate the behaviors of humans using networked devices or responses and automatic functions of networked equipment, and their stochastic actions are queued in buffer pools by a behavioral engine. An abstract machine engine creates the minimal interfaces needed for each actor, and the interfaces then communicate persistently over a network with each other and real and virtual network resources to form realistic network traffic. The network can respond to outside stimuli, such as a network mapping application, by responding with false views of the network in order to spoof hackers, and the actors can respond by altering a software defined network upon which they operate.